Today we released our Best Practices for Managing IT Security Risks: A Hedge Fund Manager’s Guide, which we developed with eSentire. Following is a sneak peek of the guidance included in the 10-page guidebook. Assuming we have whet your appetite, you can download the entire guidebook here or attend our upcoming webinar on the topic (register here).

Managing Security Threats Facing Hedge Funds

Most successful cybersecurity attacks in today’s environment occur via three different methods: malware via email, malware via a website download (drive-by download or man-in-the-middle) and transfer via USB. In most cases, an employee will download an unsuspecting virus or open an unsuspecting email, triggering a malware attack that could open the door for further intrusion. Alternatively, a trend becoming more common is the threat of employees transferring information onto USB drives (whether knowingly or unknowingly), resulting in an internal security breach. Externally –and regardless of the intrusion method – attacks typically follow a similar path from start to finish. Global security firm Lockheed Martin has identified steps to what they call the “cyber kill chain.”

Reconnaissance: Collecting information and learning about the internal structure of the host organization

While these steps may seem well thought-out and can be easily executed by an attacker, the benefit to understanding the cyber kill chain is that it gives the host a chance to counteract. The sooner into the cyber kill chain the host can identify the threat, the better chance it has of thwarting it. And there are several options for thwarting attacks, depending on the stage in which the attack is identified.

Mitigation activities on the host’s part can include: detection, denial, disruption, degradation, deception and destruction. Creating a course of action based on various scenarios and a firm’s current abilities to thwart attacks can gauge effectiveness against such intrusions and provide areas for improvement in a firm’s defense strategy. As part of an overall strategy, firms should also look to implement the following simple best practices to help prevent costly attacks:

Enforce strong passwords and (at least) two-factor authentication

Remove local administrative privileges when possible

Keep patches up-to-date for Microsoft, Adobe, Java Runtime and browsers (the most common threats originate here)

Restrict executable downloads and installations

In addition to implementing technical measures to protect their infrastructures, firms must also employ operational policies and procedures to document incidents and provide transparency to investors and auditors.

Mobile Device Security: Navigating the BYOD Trend

By allowing employees to supply their own devices, an organization inherently loses control over the hardware, how it is used and must ask the question how the company can be affected. Governing the fine line between personal and professional use on the same device can be challenging. But without clearly defined policies in place companies are making themselves vulnerable to a number of security risks.

For instance, 48% of respondents in a recent InformationWeek survey indicated that employees within their organizations had their mobile devices lost or stolen in the past year, with 12% of those cases requiring public disclosure, causing inevitable harm to the business. If proper security measures are not in place, the information contained on that device could become accessible to unauthorized parties and the company's reputation may suffer irreparable damage.

Additionally, there are many security risks involved in using one’s personal device for business purposes that most users may not even be aware of. Many popular smartphone apps, such as public file transfer services, could allow sensitive information to be easily intercepted. Other common activities that could result in leakage of sensitive data include using personal devices to automatically forward work emails to public webmail services and using smartphones to create open Wi-Fi hotspots. Both of these practices make a company’s data extremely vulnerable to hackers.